Vulnerabilities > CVE-2016-3596 - Unspecified vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
LOW Availability impact
LOW Summary
Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, and CVE-2016-3595.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS16-108.NASL |
description | The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities : - Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code. (CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596) - An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information. (CVE-2016-3574) - Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590) - An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats. An unauthenticated, remote attacker can exploit this, via a crafted email using |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 93467 |
published | 2016-09-13 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/93467 |
title | MS16-108: Security Update for Microsoft Exchange Server (3185883) |
code |
|
Seebug
bulletinFamily | exploit |
description | ### Description When parsing a specially crafted BMP file, an erroneous memory copy operation can cause a heap buffer overflow leading to arbitrary code execution. ### Tested Versions Oracle Outside In Technology Content Access SDK 8.5.1. ### Product URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html ### Details While parsing a specially crafted BMP file, an unchecked value specifying bitmap width is used to calculate the size for the memory write operation. Compression method must be set to 0x01 or BI_RLE8. While reading the file, a piece of memory on the heap is effectively overwritten by zeros. The size of this overwrite is unchecked and comes straight from the bitmap width. This can lead to heap data structures overwrite with NULL bytes. In the supplied testcase, the out of bounds null byte write overwrites a function pointer which leads to a crash. By carefully tweaking the size of the overwrite, a function pointer on the heap can be manipulated and arbitrary code execution achieved. The supplied testcase has compression method bit set to 0x1 at offset 0x1E. BMP image data has the width field set to 0x4141 which gets used in the size of the overflow. The overflow happens in the function VwStreamRead in libvs_bmp.so (image base being 0xb7f80000), specifically in the following basic block: ``` .text:B7F826A9 loc_B7F826A9: .text:B7F826A9 mov byte ptr [ebp+0], 0 .text:B7F826AD add ebp, 1 .text:B7F826B0 lea eax, [edx+ebp] .text:B7F826B3 cmp word ptr [esp+1DCh+var_150], ax .text:B7F826BB ja short loc_B7F82 ``` Notice that the basic block loops back to itself as long as `ax` is less than `esp+1DCh+var_150` which contains the bitmap width value. Initial value of `ebp` is a heap pointer and memory starting at `ebp` gets overwritten by zeros without bounds checking, resulting in heap corruption. The vulnerability can be triggered with the supplied testcase in the `ixsample` application supplied with the SDK. The same vulnerability can be triggered through a specially crafted ICO file that contains the same BMP data. ### Timeline * 2015-10-19 - Discovery * 2016-04-20 - Initial Vendor Communication * 2016-07-19 - Public Release |
id | SSV:96699 |
last seen | 2017-11-19 |
modified | 2017-10-16 |
published | 2017-10-16 |
reporter | Root |
title | Oracle OIT ImageExport libvs_bmp BMP BI_RLE8 Width Code Execution Vulnerability(CVE-2016-3596) |
Talos
id | TALOS-2016-0163 |
last seen | 2019-05-29 |
published | 2016-07-19 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0163 |
title | Oracle OIT ImageExport libvs_bmp BMP BI_RLE8 Width Code Execution Vulnerability |
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91942
- http://www.securityfocus.com/bid/91942
- http://www.securitytracker.com/id/1036370
- http://www.securitytracker.com/id/1036370
- http://www-01.ibm.com/support/docview.wss?uid=swg21988009
- http://www-01.ibm.com/support/docview.wss?uid=swg21988009
- http://www-01.ibm.com/support/docview.wss?uid=swg21988718
- http://www-01.ibm.com/support/docview.wss?uid=swg21988718